The Delegation Wizard allows administrators to delegate control of objects or containers to other users. This wizard is available on Windows 2000 domain controllers and servers.

The Delegation Wizard is used to set the required Active Directory access permissions on objects to give users various levels of control. The Delegation Wizard simplifies the process of granting object access to a user or group by allowing the administrator to select from a previously defined set of tasks that can be delegated. The list of tasks that can be delegated through the Delegation Wizard is maintained in a file called Delegwiz.inf, which is created in the <Windows installation directory>\Inf folder. Administrators can modify this file to add or delete items from the list of delegatable tasks.

Adding a task

To add a task to the Delegation Wizard, you must create a task template by using the following syntax in the Delegwiz.inf file:

;---------------------------------------------------------
[template1]
AppliesToClasses=<comma delimited list of object types to which this
template applies; for example, if "organizationalUnit" is in the list,
this template will be shown when the Delegation Wizard is invoked on
an OU>
Description = "<task description which will appear in the wizard>"
ObjectTypes = <comma delimited list of object types whose permissions
will be adjusted; for example, "ObjectTypes = SCOPE,Obj1,Obj2,Obj3">
[template1.SCOPE]
<Permission entries for Scope>
[template1.Obj1]
<Permission entries for Obj1>
[template1.Obj2]
<permission entries for Obj2>
[template1.Obj3]
<permission entries for Obj3>
;---------------------------------------------------------

The permission entries for the "SCOPE" object type are used to control the security on the container itself.

Each list of permission entries must contain one or more of the following permission specifiers:

Sample templates

The two sample templates below demonstrate the above syntaxes. These templates came from the standard Delegwiz.inf file.

Template10 sample

The following template applies to domain organizational unit (OU) container objects, so it will appear when Delegation Wizard is run from the properties of Domain or OU objects. It will apply access changes to itself (SCOPE) and to inetorgperson objects. The changes it applies to itself are CC (create child) and DC (delete child) access. The changes it applies to inetorgperson within the specified container are GA (full control).

Template11 sample

The following template applies to domain and OUs and will be displayed when Delegation Wizard is started from the property menu of those objects. This instructs Delegation Wizard to grant the specified user the "Reset Password" control, RP (read permissions), and WP (write permissions) to inetorgperson objects within the specified container.